Data security & Encryption

Cyber Risk underwriters have recently become more focused on the data security practices for portable media such as laptops, thumb drives and smart phones. Underwriters expect accounts with highly confidential data to use best practice to help mitigate the exposure. In particular, we are seeing underwriters review encryption practices more closely.

Why the concern?

Hackers are becoming increasingly successful in breaching security measures at both large and smaller companies. The methods have moved beyond traditional hacking to more creative approaches such as direct theft of security information.

Breach.

A data breach occurs when personally identifiable information, such as names and credit card numbers, are exposed to third parties. A breach can occur in a variety of ways, from a hacker obtaining unauthorized access to a system to the loss of a thumb drive containing confidential information. The loss of portable media with confidential information is considered a breach even if it is not known whether a hacker has obtained the information.

Notice.

Many jurisdictions have passed laws and regulations requiring notice to regulators and to individuals whose information may be compromised when a breach occurs. The notifications costs and the adverse publicity are significant. A loss of data has to be reported to regulators and notifications sent to every individual whose information was compromised even if the data is never used by a third party

The Solution.

Organizations can protect confidential data through encryption.

What is Encryption?

Encryption is a process of changing information into a format that is unreadable without a key (or password). It is essentially a coding process that is now being widely used to protect confidential information. Encrypted data is meaningless to a third party without the key.

Encryption and Notice.

Some definitions of breach exclude the loss of portable media, such as a laptop, when the confidential data on the portable media is not encrypted.

Underwriting Portable Media.

Because the loss or theft of laptops, thumb drives, iPads, and smartphones occurs frequently, the exposure is significant. One approach to underwriting this exposure is to understand the exposure for each account. Some underwriters will ask detailed questions to assess the exposure, and decline to write certain accounts if encryption is not used for portable media.

Underwriting Questions.

Underwriters may ask the following questions:

• How is all sensitive data stored, transmitted and destroyed?
• What controls are in place to protect the security of data, particularly unauthorized access?
• What is the number of mobile devices being used?
• What is the maximum number of personally identifiable information ("PII") stored and transferred?

Other underwriters will simply add wording to restrict or exclude losses from this exposure as follows:

• Arising out of or resulting from theft or loss of any portable media or computing device containing data in an electronic format which is not maintained in an encrypted format

Tennant Risk Services - Your Technology E&O/Cyber Risk Specialist

We can help you navigate the Technology E&O/Cyber Risk insurance business.

Tennant Risk Services is a wholesale broker providing professional liability for a wide variety of professional organizations. We offer a broad portfolio of Technology Professional and Cyber Risk products, in many cases customized to meet the specific needs of an individual or group of technology professionals or users. We will provide you with the experience, expertise, and market access that you need and expect to meet your clients’ needs.

Request For Information